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Abstract 



Information-theoretic secret-key agreement is perhaps the most practically feasible mechanism that provides 
unconditional security at the physical layer to date. In this paper, we consider the problem of secret-key agreement 
by sharing randomness at low power over an orthogonal frequency division multiplexing (OFDM) link, in the 
presence of an eavesdropper. The low power assumption greatly simplifies the design of the randomness sharing 
scheme, even in a fading channel scenario. We assess the performance of the proposed system in terms of secrecy 
key rate and show that a practical approach to key sharing is obtained by using low-density parity check (LDPC) 
codes for information reconciliation. Numerical results confirm the merits of the proposed approach as a feasible 
and practical solution. Moreover, the outage formulation allows to implement secret-key agreement even when only 
statistical knowledge of the eavesdropper channel is available. 
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I. Introduction 

Wireless communication systems and networks are particularly prone to attacks, because the inherent 
^ ! broadcast nature of the radio channel makes any terminal in the transmission range a potential threat. 
^ [ Physical-layer security aims at strengthening these systems by exploiting the imperfections of communi- 
cation channels with appropriate coding and signaling strategies at the physical layer. Since the seminal 
works [H]| — fl3j , physical-layer security has mainly focused on two mechanisms: secret communication over 
the wiretap channel, and secret-key agreement with the aid of a public side channel. 

While several results have established the benefits of diversity, fading 01, and multiple antenna Q, 10, 
to improve secret-key rates over wireless channels, little has been done to analyze secret-key agreement 
in the context of OFDM systems, which have become the reference wireless physical layer technique 
for high data rate wireless communications. Previous work on secret-key agreement in OFDM systems 
and fading environments has used a source model for secret-key agreement based on channel reciprocity 
0, so that separate measurements of the channel coefficients of the wireless link between the legitimate 
terminals could be used as the shared randomness. Other related works have also considered the problem 
of secure communication over OFDM channels by modeling them as parallel wiretap channels fl8), [0, 
based on the fact that an OFDM system is designed to avoid interference among subchannels and among 
symbols. However, a sophisticated eavesdropper may refuse to implement the canonical OFDM receiver, 
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Fig. 1. Block diagram for the vector/matrix representation of a secret key agreement scheme based on OFDM. 

keeping the cyclic prefix (CP) samples to increase the amount of information he can get out of it, and 
thus creating interference among the wiretap channels. 

In this paper, we consider the problem of generating secret cryptographic keys over a wireless channel 
by using OFDM transmission with CP for randomness sharing. We consider a channel model for secret- 
key agreement, in which randomness is injected into the channel by one of the legitimate terminals. 
Moreover, we analyze slow fading dispersive channels, for which the channel impulse responses are 
assumed to remain constant over the whole duration of the randomness sharing phase. We first show that 
in the low-power limit the strategy to allocate all transmit power on the subchannel having the highest 
channel gain to the legitimate receiver is first-order optimal. We derive the secret key achievable rates in 
this case, and observe that first-order optimality is retained by replacing Gaussian inputs with a quaternary 
phase shift keying (QPSK) constellation with the same variance. Then, as a practical solution, we propose 
the use of LDPC coding for information reconciliation. Indeed, LDPC codes are state-of-the-art error 
correcting codes, characterized by soft decoding algorithms able to approach the unconstrained channel 
capacity, with limited complexity. They have already found several applications in physical-layer security, 
either as codes for near-optimal information reconciliation in secret-key agreement schemes [[T0l - [[T2l . or 
as codes for secure communication over wiretap channels fH3l . Ifl4l . In order to assess the merit of the 
practical solution we also consider as performance metric the security gap defined as the ratio between the 
legitimate and eavesdropper signal to noise ratio (SNR) which allows reliable decoding for the legitimate 
receiver, while keeping the eavesdropper bit error rate (BER) and frame error rate (FER) sufficiently 
close to 0.5 and 1, respectively. We focus on regular LDPC codes, since both their optimization and 
implementation are simpler than for irregular codes. In addition, regular LDPC codes also include several 
classes of structured codes |fI51 , which are well suited to practical implementation [fT6l . Lastly, we discuss 
the design of the system based on an outage approach, when the channel of the eavesdropper is known 
only statistically to the legitimate transmitter. 

We denote vectors and matrices with lowercase and uppercase boldface letters, respectively, and the 
complex conjugate transposed of matrix A as with A*. The eigenvalues of an L x L matrix A are denoted 
by Aj(A), i = 1, . . . , L. Given a vector g G C L , we denote by Toep^ (g) the (N + L — 1) x N Toeplitz 
matrix having [gr 1( 0, . . . , 0] as its first row and [gx, . . . , g L , 0, . . . , 0] as its first column. 

II. System model 

In the typical physical-layer key-agreement scenario, two legitimate terminals, which we call A and B, 
aim at deriving a common bit sequence (the key) that must be kept secret from an adversary who will 
be called E. For this purpose, A and B have access to a noisy wireless link and to a public, error-free 



authenticated channel. However, it is assumed that, due to the nature of the wireless medium, a link also 
exists from A to E and that messages on the public channel may be observed by E. 

We consider that the wireless link is implemented through an OFDM system with M subcarriers, equally 
spaced in frequency, and a CP of fi samples. For convenience, we use the matrix representation of the 
OFDM/CP system introduced in ifTTl . that can be inferred from Fig. [Q The description is based on the 
discrete time equivalent of the system with N samples per symbol period, and its efficient implementation 
through the fast Fourier transform (FFT) algorithm. We assume that the CP is longer than the main channel 
impulse response #r in order to avoid intersymbol interference (ISI) and interchannel interference (ICI) at 
the legitimate receiver. The input-output relationships are then a special case of the multiple input multiple 
output (MIMO) Gaussian wiretap channel: 

y = G R x + w R 
and z = Gex + we 

where the vector x G contains the signal samples corresponding to an OFDM symbol, transmitted on 
the channel, while multiplications of x by the Toeplitz matrices Gr = Toep^ (g^) and Ge = Toep^ (gs) 
are the convolutions of the input signal with the channel impulse responses g R = [<7r(0), . . . , #r(Xr — 1)] 
and gE = [#e(0), . . . , <7e(£e — 1)], having lengths Lr and Le, respectively. The noise vectors wr, we ~ 
CV(0, 1/v+Lj-i). with i = R, E, comprise independent, zero-mean, unit-variance, circularly symmetric 
complex Gaussian variables. 

To impose the OFDM structure on the transmitted signal, we write 

x = Tu, (2) 

where the vector u G C M contains the frequency domain symbols loaded on the M subcarriers. The 
OFDM modulation matrix T is an N x M matrix that can be written as T = AF*, in which F represents 
the FFT matrix of size M, while A G C NxAI is responsible for inserting \i = N — M redundant samples 
that are needed to overcome the delay spread of the dispersive channel, i.e., 
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(3) 



Similarly, demodulation at the receiver is represented by the multiplication v = Ry of the legitimate 
channel output by the matrix R = FB. Here B is such that under the condition Lr < //, 

RG R T = diag(£ R (/ i )), (4) 

in which Gn(fi), i = 1, . . . , M is the length M FFT of the legitimate channel impulse response. Thus, 

B = [ Omxh ^-m Omx(Lr-i) ] • (5) 

Given the above, the OFDM system scenario with generic eavesdropper can be represented as an equivalent 
MIMO Gaussian wiretap channel: 

V = HrU + 

and z = Heu + we 

with H R = diag(£?R(/i)), H E = G E T and = Rw R . Consequently, the covariance matrix of the 
demodulated noise at the legitimate receiver is K w ^ = RR* = 1m- 



III. LOW POWER RANDOMNESS SHARING AND ACHIEVABLE SECRET-KEY RATES 

From known results regarding the MIMO Gaussian wiretap model, the secret-key capacity with a given 
input covariance matrix K u is obtained with Gaussian inputs, and is given by (6l 



R = log 2 



I + K u (H R H R + H* H E ) 



log 2 



I + KuH e HeKu 



(7) 



On the other hand, from [6., Proposition 2], we also know that, in the low-power regime, i.e. when the 
available power P goes to zero, the optimal transmission strategy is to concentrate all the power along 
the eigenspace of the legitimate channel Hr corresponding to the maximum eigenvalue, regardless of 
the eavesdropper's channel. In our case, the optimal input covariance matrix that satisfies the total power 
constraint 

tr(K x )=tr(TK u T*)<P, (8) 

is diagonal, with only one nonzero entry, corresponding to the subcarrier that exhibits the maximum 
channel gain. Namely, 

K u = -^-e m e* m , (9) 
l + p 

in which p = p/M, {e^} is the canonical base of M M and 

m = argmax|Ai(H R H R )| = argmax |^ R (/i)| . (10) 

i i 

Accordingly, the secret-key rate achieved for P > with the low-power optimal transmission strategy is 



R = log, 



l + Tfcl^R(/ m )| 2 + Tfel|H E e, 
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where Ar = ^-|^R(/ m )| 2 an d Ae = Y^||HEe m || 2 are the SNR of the two channels, relative to the 
chosen subcarrier. 

Moreover, by leveraging the low-power, first-order expansion of mutual information in [18], the result in 
(61 Proposition 2] can be extended to any complex input with the same covariance matrix, and independent 
real and imaginary components. Therefore, in the low-power regime, Gaussian signaling is no longer 
necessary to achieve the secret-key capacity of the channel, and A can transmit symbols from a discrete 
constellation (e.g., QPSK) without incurring significant losses with respect to expression (fTTT > Q. 

IV. Practical Solution 

The choice of a QPSK modulation for randomness sharing simplifies the design of the information 
reconciliation phase. Indeed, as reconciliation of continuous variables is not needed, it can be effectively 
implemented through standard soft decoding techniques of a binary code in an additive white Gaussian 
noise (AWGN) channel with binary input. For instance, [fT2l employs fixed LDPC codes with syndrome 
transmission on the public feedback channel. 

In this section, as an alternative to the standard reconciliation scheme, we derive a suboptimal, still more 
convenient, practical approach. We first observe that since the transmitter chooses the best subchannel 
to the legitimate receiver, it is quite likely that Ar > Ae- Therefore, the proposed approach is to use 
the resulting wiretap channel (said to be stochastically degraded) to deliver a secret key created at the 
transmitter, without leveraging the presence of a public, noiseless, side channel for discussion. 



'An analogous result holds for low-power secrecy capacity of a MIMO Gaussian channel 1 19]. 



As a further step towards practice, we consider finite length codes. In this context, we aim for a looser 
notion of secrecy, based on the eavesdropper BER rather than mutual information. 

We now focus on the use of LDPC codes as secrecy codes for the wiretap channel. We observe that 
their behavior can be approximated by assuming that if the SNR working point A is close to the decoding 
threshold A t h, a small decrease of A would cause the code to be unable to correct the errors. On the 
other hand, a small increase of A would allow to decode correctly all of them. The threshold A th will 
be derived in the following. Under the physical-layer security viewpoint, the ideal condition would be 
reached if an eavesdropper at Ae = A t h — e, with e arbitrarily small, was unable to get any information on 
the received codewords, while the authorized receiver at A R = A th + e can perfectly recover the message. 
In this case, the security gap S g = A R /A E needed to achieve the security and reliability conditions would 
be very small. 

In order to approach the ideal condition, we can consider rather long codes together with scrambling 
Ifl4ll . Il20ll , ETTl . Under the hypothesis that the scrambler can approach the perfect scrambling condition, 
as defined in 11211 . the BER is about half the FER; so, the eavesdropper's performance is strongly affected 
by his degraded channel. 

For the derivation of A th we consider the density evolution technique, whose core is represented by 
the following recursion [|22l : 



In (fT2l . £i denotes the mean of a randomly chosen message from a check node in the associated Tanner 
graph at iteration i, E c is the energy per codeword bit, a 2 is the noise variance, w c and w r are the 
parity-check matrix column and row weights, respectively, while the function \& is defined as follows: 



The decoding algorithm is supposed to perform a maximum number of iterations equal to /. If & becomes 
greater than 1 for some i < I, this means that the LDPC code is able to correct all errors. Thus, by using 
(fT2l) . we can obtain the maximum channel noise levels for which the message-passing decoder will be 
able to correct all errors, which is also known as the decoding threshold for the specified ensemble of 
LDPC codes. For the ease of implementation, we use the approximated version of density evolution which 
assumes that all messages are Gaussian and also consistent (that is, with variance equal to twice the mean). 

As an example, we have considered a QPSK modulated transmission over the AWGN channel, and 
an SNR working point A = — 2dB. Using density evolution, we find that A th « — 2dB for regular 
LDPC codes with: i) w c = 3 and code rate 0.25; ii) w c = 4 and code rate 0.15; iii) w c = 5 and code 
rate 0.03. We have focused on w c = 3, and used the progressive edge growth algorithm [|23l to design 
two (almost) regular LDPC codes with rate 0.25 and length 5 000 and 10 000, respectively. With QPSK 
modulation, the above code rate corresponds to 0.5 bits per channel use. Their performance has been 
assessed through numerical simulations, using the log-likelihood version of the sum-product algorithm 
E4l for LDPC decoding. The results obtained are reported in Fig. [2] If we fix the security condition 
as to ensure that E experiences a FER > 0.9, this is reached, for both codes, when Ae < — 2.2dB. 
Concerning B's reliability condition, we can require that the frame error rate he experiences is < 10~ 4 . 
This is achieved for Ar > — 1.2dB, for the first code, and Ar > — 1.45dB, for the second code. Thus, the 
security gap is S g — ldB and S g = 0.75 dB, respectively. Obviously, using longer codes would further 
reduce the security gap. 




(12) 




(13) 




Fig. 2. Simulated frame error rate for two LDPC codes with rate 0.25, parity-check matrix column weight 3, codeword length 5 000 and 
10 000. 



V. Outage-based protocol design 

While it seems reasonable to assume that the legitimate channel is perfectly known to both the legitimate 
terminals, and hence the optimal subcarrier index m and the corresponding value Ar, assuming knowledge 
of the eavesdropper channel state is in general unrealistic. In the following, we assume that the transmitter 
only has statistical channel state information (CSI) about the eavesdropper channel. 

The legitimate parties must therefore pursue a tradeoff between the key rate they settle for, and the 
secret key outage probability (that is the probability that the actual secret key capacity is lower than their 
intended rate). A possible approach is to always adjust the transmitted power P so that A R has a fixed 
value. Then, the secret-key rate must be chosen so that the outage probability is small enough. An example 
is reported in Fig. |3] which illustrates the cumulative distribution function (CDF) of the achievable secret 
key rates (fTTI) assuming the legitimate and eavesdropper channel coefficients are random realizations drawn 
from the same fading distribution. We considered an OFDM system with M = 256 subcarriers, CP length 
\i = 16, that is, transmitting over frequency selective channels with length Lr = Le = [i. Both the channel 
impulse responses towards B and E have independent Rayleigh fading taps with exponentially decaying 
power delay profile (PDP) and r R = EiMMOl 2 } = -10 dB and T E = E {MOI 2 } = -10 dB. 
However, the transmission power P is adjusted in order to guarantee Ar = —1 dB. We see that by fixing 
an outage probability of 10~ 3 we should aim at a secret key rate R = 0.28 bit per channel use. For the 
sake of comparison, we also show in the figure the CDF of the achievable secrecy rate for the same 
system and with the same input. Observe that the secrecy rate is always much lower than the secret-key 
rate with public discussion and may result in a zero rate with very high probability. On the other hand, 
when the eavesdropper average SNR is much lower than the one of the main channel, the achievable rates 
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Fig. 3. CDF of the achievable secret key rates and secrecy rates when both the channels to B and E have an exponential PDP with 
Tr = Te = — 10 dB, and the transmitted power P is adjusted so that Art = — 1 dB. 



for the two schemes are quite close, as shown in Fig. |4] 

Notice that, in order to characterize the secret-key outage probability, it is important to determine the 
statistical description of the random variable A E . In the Rayleigh fading case, as multiplying a complex 
Gaussian random variable by a constant phase term does not change its distribution, it can be seen that 
A E is distributed as 



E E*w +(n-l e +i) x>w E>eM 



n=l \i=l 



n=l \j=n+l 



(14) 



Then, A E can be easily rewritten as the quadratic form A E = 7*07, in which 7 ~ £/V(0, Ix B ) and 
C is a positive semidefinite matrix function of the system parameters M, N and of the channel PDP. 
Therefore, A E is distributed as the sum of independent exponential random variables with means equal 
to the eigenvalues of C, Ai(C), . . . , Al e (C). Then, the CDF of A E is obtained as 



Ab( )_ ^a ¥i (A,(C)-A,(C)) V 



(15) 



Similarly, also when considering the practical solution based on the used of LDPC codes for the wiretap 
channel scenario, described in Section [TV] we can easily assess the effect of knowing E's channel only 



in statistical terms. After having defined the security condition in terms of Eve's frame error probability, 
which implies A E < A th — e, we can obtain the security outage probability as follows: 

P {Ae > Ath - e} = 1 - F\ E (A t h - e). (16) 
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Fig. 4. CDF of the achievable secret key rates and secrecy rates when both the channels to B and E have an exponential PDP with 
Tr = — lOdB and different values of Te, and the transmitted power P is adjusted so that Ar = — 1 dB. 

VI. Conclusions 

We have considered the problem of information theoretical secret-key agreement by sharing randomness 
at low power over an OFDM link, in the presence of an eavesdropper. 

The low power assumption greatly simplifies the design and performance evaluation of the optimal 
scheme, even in a fading channel scenario and when the potential eavesdropper cannot be modeled as an 
OFDM receiver. In fact, by leveraging the analogy with a Gaussian MIMO channel, we have shown that 
the randomness sharing phase can be designed with complete ignorance of the eavesdropper channel state, 
without loss of optimality. It results in a QPSK modulation over the subcarrier that exhibits the maximum 
amplitude of the legitimate channel frequency response. As a further consequence, LDPC codes, and their 
efficient soft decoding techniques can be employed effectively for information reconciliation, or directly 
as codes for the wiretap channel. 

We have also provided an outage formulation and have explored the tradeoff between the secret key 
rate and the probability of secrecy outage, for proper dimensioning of the scheme. 



We point out that a similar approach can also be used for higher transmitted powers, although, in that 
case, a water-filling power distribution on the legitimate channel frequency response is suboptimal for 
randomness sharing. However, it is shown in [6, Section V] to provide satisfactory results, and to achieve 
secret-key capacity again in the high power limit. The design of a protocol exploiting this solution will 
be pursued in our future work. 
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